Nmap Development mailing list archives

Re: Nmap loops with "Unable to find listening socket in get_rpc_results" error [2]

From: Lionel Cons <lionel.cons () cern ch>
Date: Tue, 10 Nov 2009 17:06:19 +0100

Fyodor writes:

o Does this happen pretty much every time you scan the target machine,
  or is it intermittent.


I found at least one machine where I can always reproduce the problem.

Can you try to reduce that step by step until you can find the minimal
command which still reproduces the problem?


Done. Here is the minimal set:

# nmap -sS -sU -sR -p T:55491,U:111 <victim>

 o Only one system does this to you?  Is it on the Internet where I
   can scan it, or an internal system?  What do you get from "rpcinfo -p
   <target>" and "nmap -p- -A -T4 <target>"?


This system is not reachable from the Internet. Here are the requested
outputs.

Cheers,

Lionel

   program vers proto   port
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  32772  status
    100024    1   tcp  32771  status
    100133    1   udp  32772
    100133    1   tcp  32771
    100021    1   udp   4045  nlockmgr
    100021    2   udp   4045  nlockmgr
    100021    3   udp   4045  nlockmgr
    100021    4   udp   4045  nlockmgr
    100021    1   tcp   4045  nlockmgr
    100021    2   tcp   4045  nlockmgr
    100021    3   tcp   4045  nlockmgr
    100021    4   tcp   4045  nlockmgr
    100005    1   udp  32778  mountd
    100005    2   udp  32778  mountd
    100005    3   udp  32778  mountd
    100005    1   tcp  32776  mountd
    100005    2   tcp  32776  mountd
    100005    3   tcp  32776  mountd
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100227    2   udp   2049  nfs_acl
    100227    3   udp   2049  nfs_acl
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100227    2   tcp   2049  nfs_acl
    100227    3   tcp   2049  nfs_acl
    100026    1   udp  32779  bootparam
    100026    1   tcp  32777  bootparam
1289637086    5   tcp  55491
1289637086    1   tcp  55491


Starting Nmap 5.05BETA1 ( http://nmap.org ) at 2009-11-10 09:44 CET
Nmap scan report for victim (1.2.3.4)
Host is up (0.00056s latency).
Not shown: 65507 closed ports
PORT      STATE    SERVICE          VERSION
111/tcp   open     rpcbind
|  rpcinfo:  
|  100000      2,3,4      111/udp  rpcbind      
|  100003      2,3       2049/udp  nfs          
|  100227      2,3       2049/udp  nfs_acl      
|  100021      1,2,3,4   4045/udp  nlockmgr     
|  100024      1        32772/udp  status       
|  100133      1        32772/udp  nsm_addrand  
|  100005      1,2,3    32778/udp  mountd       
|  100026      1        32779/udp  bootparam    
|  100000      2,3,4      111/tcp  rpcbind      
|  100003      2,3       2049/tcp  nfs          
|  100227      2,3       2049/tcp  nfs_acl      
|  100021      1,2,3,4   4045/tcp  nlockmgr     
|  100024      1        32771/tcp  status       
|  100133      1        32771/tcp  nsm_addrand  
|  100005      1,2,3    32776/tcp  mountd       
|  100026      1        32777/tcp  bootparam    
|_ 1289637086  1,5      55491/tcp  dtcm         
512/tcp   open     exec
513/tcp   open     login
514/tcp   open     tcpwrapped
515/tcp   open     printer          Solaris lpd
601/tcp   open     unknown
2049/tcp  open     rpcbind
3363/tcp  open     tcpwrapped
4045/tcp  open     rpcbind
5252/tcp  filtered unknown
6000/tcp  open     X11              XSun Solaris X11 server
7100/tcp  open     font-service     Sun Solaris fs.auto
8181/tcp  filtered unknown
32771/tcp open     rpcbind
32774/tcp open     sometimes-rpc11?
32776/tcp open     rpcbind
32777/tcp open     rpcbind
55491/tcp open     rpcbind
Device type: general purpose
Running: Sun Solaris 8
OS details: Sun Solaris 8 (SPARC)
Network Distance: 6 hops
Service Info: OSs: Solaris, Unix

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 488.11 seconds

# nmap -d5 -sS -sU -sR -p T:55491,U:111 1.2.3.4 

Starting Nmap 5.05BETA1 ( http://nmap.org ) at 2009-11-10 16:50 CET
Fetchfile found /usr/share/nmap/nmap-services
The max # of sockets we are using is: 0
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
doing 0.0.0.0 = 1.2.3.4
Initiating Ping Scan at 16:50
Scanning 1.2.3.4 [4 ports]
Pcap filter: dst host 1.2.3.1 and (icmp or ((tcp or udp or sctp) and (src host 1.2.3.4)))
Packet capture filter (device eth0): dst host 1.2.3.1 and (icmp or ((tcp or udp or sctp) and (src host 1.2.3.4)))
SENT (0.0470s) ICMP 1.2.3.1 > 1.2.3.4 echo request (type=8/code=0) ttl=45 id=63008 iplen=28 
SENT (0.0470s) TCP 1.2.3.1:56346 > 1.2.3.4:443 S ttl=48 id=20758 iplen=44  seq=331117183 win=1024 <mss 1460>
SENT (0.0470s) TCP 1.2.3.1:56346 > 1.2.3.4:80 A ttl=40 id=13463 iplen=40  seq=0 win=1024 ack=331117183 
SENT (0.0470s) ICMP 1.2.3.1 > 1.2.3.4 Timestamp request (type=13/code=0) ttl=50 id=40714 iplen=40 
**TIMING STATS** (0.0470s): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, 
cwnd/ssthresh/delay, timeout/srtt/rttvar/
   Groupstats (1/1 incomplete): 4/*/*/*/*/* 10.00/75/* 1000000/-1/-1
   1.2.3.4: 4/0/0/4/0/0 10.00/75/0 1000000/-1/-1
Current sending rates: 1093.49 packets / s, 41552.76 bytes / s.
Overall sending rates: 1093.49 packets / s, 41552.76 bytes / s.
RCVD (0.0480s) ICMP 1.2.3.4 > 1.2.3.1 echo reply (type=0/code=0) ttl=250 id=53510 iplen=28 
Found 1.2.3.4 in incomplete hosts list.
We got a ping packet back from 1.2.3.4: id = 14049 seq = 0 checksum = 51486
ultrascan_host_probe_update called for machine 1.2.3.4 state UNKNOWN -> HOST_UP (trynum 0 time: 1169)
Timeout vals: srtt: -1 rttvar: -1 to: 1000000 delta 1106 ==> srtt: 1106 rttvar: 5000 to: 100000
Timeout vals: srtt: -1 rttvar: -1 to: 1000000 delta 1106 ==> srtt: 1106 rttvar: 5000 to: 100000
Changing ping technique for 1.2.3.4 to icmp type 8 code 0
Moving 1.2.3.4 to completed hosts list with 0 outstanding probes.
Changing global ping host to 1.2.3.4.
Completed Ping Scan at 16:50, 0.00s elapsed (1 total hosts)
Overall sending rates: 839.63 packets / s, 31905.96 bytes / s.
pcap stats: 3 packets received by filter, 0 dropped by kernel.
mass_rdns: Using DNS server 1.2.5.1
mass_rdns: Using DNS server 1.2.5.2
NSOCK (0.0520s) UDP connection requested to 1.2.5.2:53 (IOD #1) EID 8
NSOCK (0.0520s) Read request from IOD #1 [1.2.5.2:53] (timeout: -1ms) EID 18
NSOCK (0.0520s) UDP connection requested to 1.2.5.1:53 (IOD #2) EID 24
NSOCK (0.0520s) Read request from IOD #2 [1.2.5.1:53] (timeout: -1ms) EID 34
Initiating Parallel DNS resolution of 1 host. at 16:50
mass_rdns: TRANSMITTING for <1.2.3.4> (server <1.2.5.2>)
NSOCK (0.0520s) Write request for 46 bytes to IOD #1 EID 43 [1.2.5.2:53]: .............108.237.138.137.in-addr.arpa.....
NSOCK (0.0520s) nsock_loop() started (timeout=500ms). 5 events pending
NSOCK (0.0520s) Callback: CONNECT SUCCESS for EID 8 [1.2.5.2:53]
NSOCK (0.0520s) Callback: CONNECT SUCCESS for EID 24 [1.2.5.1:53]
NSOCK (0.0520s) Callback: WRITE SUCCESS for EID 43 [1.2.5.2:53]
NSOCK (0.0520s) Callback: READ SUCCESS for EID 18 [1.2.5.2:53] (154 bytes)
NSOCK (0.0520s) Read request from IOD #1 [1.2.5.2:53] (timeout: -1ms) EID 50
CAPACITY <1.2.5.2> = 12
mass_rdns: OK MATCHED <1.2.3.4> to <victim>
mass_rdns: 0.00s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 16:50, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 2, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 16:50
1.2.3.4 pingprobe type ICMP is inappropriate for this scan type; resetting.
Scanning victim (1.2.3.4) [1 port]
Pcap filter: dst host 1.2.3.1 and (icmp or ((tcp or udp or sctp) and (src host 1.2.3.4)))
Packet capture filter (device eth0): dst host 1.2.3.1 and (icmp or ((tcp or udp or sctp) and (src host 1.2.3.4)))
SENT (0.0580s) TCP 1.2.3.1:56346 > 1.2.3.4:55491 S ttl=56 id=902 iplen=44  seq=737339205 win=1024 <mss 1460>
**TIMING STATS** (0.0580s): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, 
cwnd/ssthresh/delay, timeout/srtt/rttvar/
   Groupstats (1/1 incomplete): 1/*/*/*/*/* 10.00/75/* 1000000/-1/-1
   1.2.3.4: 1/0/0/1/0/0 10.00/75/0 100000/1106/5000
Current sending rates: 192.38 packets / s, 8464.79 bytes / s.
Overall sending rates: 192.38 packets / s, 8464.79 bytes / s.
RCVD (0.0580s) TCP 1.2.3.4:55491 > 1.2.3.1:56346 SA ttl=59 id=53514 iplen=44  seq=3281484125 win=24820 ack=737339206 
<mss 1460>
Found 1.2.3.4 in incomplete hosts list.
Discovered open port 55491/tcp on 1.2.3.4
Timeout vals: srtt: 1106 rttvar: 5000 to: 100000 delta -583 ==> srtt: 1033 rttvar: 3895 to: 100000
Timeout vals: srtt: -1 rttvar: -1 to: 1000000 delta 523 ==> srtt: 523 rttvar: 5000 to: 100000
Changing ping technique for 1.2.3.4 to tcp to port 55491; flags: S
Moving 1.2.3.4 to completed hosts list with 0 outstanding probes.
Changing global ping host to 1.2.3.4.
Completed SYN Stealth Scan at 16:50, 0.01s elapsed (1 total ports)
Overall sending rates: 179.34 packets / s, 7890.96 bytes / s.
pcap stats: 1 packets received by filter, 0 dropped by kernel.
Initiating UDP Scan at 16:50
Scanning victim (1.2.3.4) [1 port]
Pcap filter: dst host 1.2.3.1 and (icmp or ((tcp or udp or sctp) and (src host 1.2.3.4)))
Packet capture filter (device eth0): dst host 1.2.3.1 and (icmp or ((tcp or udp or sctp) and (src host 1.2.3.4)))
SENT (0.0640s) UDP 1.2.3.1:56346 > 1.2.3.4:111 ttl=42 id=24934 iplen=68 
**TIMING STATS** (0.0640s): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, 
cwnd/ssthresh/delay, timeout/srtt/rttvar/
   Groupstats (1/1 incomplete): 1/*/*/*/*/* 10.00/75/* 1000000/-1/-1
   1.2.3.4: 1/0/0/1/0/0 10.00/75/0 100000/1033/3895
Current sending rates: 308.74 packets / s, 20994.13 bytes / s.
Overall sending rates: 308.74 packets / s, 20994.13 bytes / s.
RCVD (0.0650s) UDP 1.2.3.4:111 > 1.2.3.1:56346 ttl=250 id=53515 iplen=60 
Found 1.2.3.4 in incomplete hosts list.
Discovered open port 111/udp on 1.2.3.4
Timeout vals: srtt: 1033 rttvar: 3895 to: 100000 delta 64 ==> srtt: 1041 rttvar: 2937 to: 100000
Timeout vals: srtt: -1 rttvar: -1 to: 1000000 delta 1097 ==> srtt: 1097 rttvar: 5000 to: 100000
Moving 1.2.3.4 to completed hosts list with 0 outstanding probes.
Changing global ping host to 1.2.3.4.
Completed UDP Scan at 16:50, 0.00s elapsed (1 total ports)
Overall sending rates: 228.99 packets / s, 15571.33 bytes / s.
pcap stats: 1 packets received by filter, 0 dropped by kernel.
Starting RPC scan against victim (1.2.3.4)
Fetchfile found /usr/share/nmap/nmap-rpc
Initiating RPCGrind Scan against victim (1.2 at 16:50
Sending initial query to port/prog 100000
Sending RPC probe for program 100000 to 55491/tcp -- scan_offset=0 trynum=0 xid=2606FDA1
Sending initial query to port/prog 100001
Sending RPC probe for program 100001 to 55491/tcp -- scan_offset=1 trynum=0 xid=2606FDA2
Ideal number of queries: 2 outstanding: 2 max 150 ports_left 0 timeout 100000 senddelay: 0us
Timeout, resending to portno/progno 100001
Sending RPC probe for program 100001 to 55491/tcp -- scan_offset=1 trynum=1 xid=6606FDA2
Timeout, resending to portno/progno 100000
Sending RPC probe for program 100000 to 55491/tcp -- scan_offset=0 trynum=1 xid=6606FDA1
Ideal number of queries: 2 outstanding: 2 max 150 ports_left 0 timeout 100000 senddelay: 0us
Timeout, resending to portno/progno 100000
Sending RPC probe for program 100000 to 55491/tcp -- scan_offset=0 trynum=2 xid=FFFFFFFFA606FDA1
Timeout, resending to portno/progno 100001
Sending RPC probe for program 100001 to 55491/tcp -- scan_offset=1 trynum=2 xid=FFFFFFFFA606FDA2
Ideal number of queries: 2 outstanding: 2 max 150 ports_left 0 timeout 100000 senddelay: 0us
Ideal number of queries: 2 outstanding: 2 max 150 ports_left 0 timeout 100000 senddelay: 0us
RPC Scan giving up on port 55491 proto 6 due to repeated lack of response
Ideal number of queries: 2 outstanding: 2 max 150 ports_left 0 timeout 100000 senddelay: 0us
Finished round. Current stats: numqueries_ideal: 2; min_width: 1; max_width: 150; packet_incr: 4; senddelay: 0us; 
fallback: 70%
Ideal number of queries: 2 outstanding: 2 max 150 ports_left 0 timeout 100000 senddelay: 0us
Unable to find listening socket in get_rpc_results
Ideal number of queries: 2 outstanding: 2 max 150 ports_left 0 timeout 100000 senddelay: 0us
Unable to find listening socket in get_rpc_results
Ideal number of queries: 2 outstanding: 2 max 150 ports_left 0 timeout 100000 senddelay: 0us
Unable to find listening socket in get_rpc_results
^C

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Nmap loops with "Unable to find listening socket in get_rpc_results" error [2] Lionel Cons (Oct 19)
- Re: Nmap loops with "Unable to find listening socket in get_rpc_results" error [2] Fyodor (Nov 05)
  - Re: Nmap loops with "Unable to find listening socket in get_rpc_results" error [2] Lionel Cons (Nov 10)
    - Re: Nmap loops with "Unable to find listening socket in get_rpc_results" error [2] Fyodor (Nov 11)
    - Re: Nmap loops with "Unable to find listening socket in get_rpc_results" error [2] David Fifield (Nov 11)
    - Re: Nmap loops with "Unable to find listening socket in get_rpc_results" error [2] David Fifield (Nov 11)